Cyberwarfare / Nation-State Attacks,
Endpoint Security,
Fraud Management & Cybercrime
Reused USB Drives Linked to China Spread Malware to Private Sector
In a startling revelation, counterfeit USB flash drives embedded with a virus reportedly linked to Chinese cyber efforts have infiltrated the Japanese military and are now unleashing malware across various secure networks within the country. This alarming development raises significant concerns about cybersecurity protocols, especially regarding the critical role of USB drives in modern information systems.
According to an exclusive report by The Nikkei, the virus associated with these counterfeit drives was not detected until February 2025. This oversight allowed the malware to lurk undetected for nearly a full year after the flash drives were delivered to Japan’s Self-Defense Forces in March 2024, causing a substantial delay in addressing the security breach.
Internal military documents have indicated that the procurement source of these drives is now untraceable, complicating efforts to mitigate the threat. An investigation conducted by the army’s Cyber Defense Unit revealed that out of eight analyzed USB drives, six contained the malicious software. This intrusion has already compromised more than 50 of the 480 computers assessed, with approximately half of them operating on closed internal networks designed to safeguard sensitive military data.
Japan’s Self-Defense Forces and the Ministry of Defense heavily rely on both open and closed systems, particularly using isolated networks to store confidential information such as military orders and unit movements. Consequently, USB flash drives are often used for transferring information externally, making them potential conduits for malware.
The Defense Ministry, however, has downplayed the severity of the situation, asserting that the malware has had “no impact” on military systems and has shown no signs of “information exfiltration or external communication.” This response may reflect an attempt to reassure the public and the international community amid rising concerns over cyber threats from hostile nations.
Experts suggest that the malware’s proliferation can be attributed to users plugging these counterfeit drives into various non-government systems, inadvertently allowing the malware to spread beyond military networks into private-sector organizations. The malware is linked to a well-known Chinese-aligned advanced persistent threat group known as Mustang Panda. Although no official attribution has been made, this group has a history of utilizing removable media to deploy malicious software aimed at exfiltrating sensitive data.
Mark Rorabaugh, the President and CEO of InfraShield, acknowledged the reality of portable media’s integral role in infrastructure operations, asserting that “portable media is not going away.” He emphasized that critical infrastructure sectors depend on USB drives for a plethora of functions including software updates and diagnostics. Therefore, the focus should not be on completely eliminating the use of portable media, but rather on managing it securely to mitigate potential risks.
This incident shines a spotlight on the often-overlooked aspect of blended cyber-physical operations, which rely heavily on human behavior and social engineering techniques. Many individuals regard USB drives as commonplace productivity tools, rather than recognizing their potential as vectors for cyberattacks against secure environments. Rorabaugh encapsulated this concern succinctly, stating, “Introducing an unauthorized USB device into a secure environment is the cyber equivalent of carrying a live grenade through the front door of a protected facility.”
The Nikkei also reported that malicious USB drives are still available through online retailers in China, although specific details regarding the malware targeting Japan’s main military branch remain undisclosed. The broader implications of this situation extend beyond the military; industries such as healthcare, education, manufacturing, and finance are now also grappling with similar infections found within their closed systems across Japan.
In light of these events, U.S. intelligence agencies have long warned of a surge in sophisticated cyberattacks orchestrated by China-aligned hackers. The pervasive threat posed by embedded malware campaigns is not limited to Japan; other nations, including the United States, are also facing the daunting challenge of cyberespionage. Examples of high-profile breaches include attacks on law firms, major telecommunications companies, and professional social media platforms like LinkedIn, showcasing the extensive nature of this cyber threat.